Posted by Philip Ronan on 09/08/05 02:10

"tom pester" wrote:

>> Turing numbers would help
>
> I know about these but I kept it simple and performed another (inadequate)
> turing test.
> Computer can add as the best and it won't be long till they can read those
> images too (if they can't already).

Not true. Optical character recognition works fine in cases where the
position, size and colour of the characters is approximately known. But
unusual character styles (e.g. <http://www.adsmalta.com/?reason=recover>)
and/or random noise and deformation applied to the image (e.g.
<http://blast4dollars.com/list.php>) make things far more difficult.

On the other hand, extracting two numbers from the HTML source of a web page
and adding them together is ridiculously easy. A combination of
file_get_contents() and simple string matching is all you need.

>> but if you publish your source code you'll
>> still make things relatively easy for the spammers:
>
> I made the decision to publish the source code so I would write more secure
> code.
> I think secure code that solely relies on obfuscation is not good enough.
> Code is really secure if a hacker can't break it even if he knows how its
> implemented.

Well I suggest you start by learning how to write secure code before you
publish all this stuff. You're really asking for trouble.

> I rewrote the addition test with a session and a measure to avoid replay
> attacks.

A futile effort, unfortunately.

> Can you think of another way to circumvent the test other than to parse the
> file and let a computer to the addition?

Do I need to think of another way? It would take me 5 minutes to write a
script to crack your "security". In another 5 minutes I could have sent
hundreds of emails from your site.

Take the page down before it's too late.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

[Back to original message]